Cool idea, but what happens with the data?

[NateKVR]

I'm not entirely sure what you think can be done with a Machine ID. It is an identifier, nothing more and really pretty safe to share. Google it. Plenty of info out there.

As has been explained to you:

A machine ID is personal data, so is an IP address.

You come across as out of touch on privacy issues. I'm not really interested in your opinion on what is "safe to share." What is a good approach is to share only what's necessary and, based on what you've said so far, gathering machineID isn't necessary. So, it's good privacy practice to question your practice of gathering unnecessary information.

Thanks for the feedback, and totally respect you wanting to question...

From our perspective, the machineID at the time was necessary, as I explained, to differentiate scans on different computers. It's easy to call from within the JUCE scanner along with OS version etc., for the most part is not considered questionable AFAIK and the alternative would require building out further functionality to allow for custom naming which then complicates things much further.

Just to try explain where we are coming from, other reasons for recording some data like processor specs etc. for example was to try match that against plugin info to determine if a plugin was M1 compatible and update our database as such... that wasn't fully implemented yet though. We also thought being able to compare hardware with friends when comparing groups would be a useful addition as well as having your specs on hand if you were trying to contact a developer for support.

Anyways, as mentioned, we'll discuss and see if we can find a more explicit means of communicating this at sign in or installation to reduce any potential confusion.

[NateKVR]

The tone could be a little more friendly

Sorry!

You could for example ask instead;
have you designed this based on the principle of "privacy by design"?
is the software designed on the principle of "Data minimisation"

(Data minimisation is a fundamental principle under the GDPR. It means that you only should collect and process personal data that is absolutely necessary to fulfil your purpose.

You sound well versed in this topic… perhaps we need to get you to consult on this.

Put this way, yes I'm pretty confident the data collected is necessary to fulfil the purpose of the application which was primarily to assist with managing plugins, automate the creation of groups in MyKVR and match up products so as to provide info on updates etc.

The other aspect was to provide a platform that would service our database. Referring to the anonymized data mentioned in the EULA, for example, we can now track how many times a specific plugin was scanned, if we find plugin-X.vst3 was scanned 10 times but doesn’t have an associated product page linked in the KVR Product Database, we can immediately see this and prioritise upkeep on our end, ultimately resulting in a more complete and more useful source of info for everyone… and coincidentally the more complete the database, the better the app is at providing a service to users locally on their computers.

I really hope this clarifies things a bit better. Happy to consider all suggestions and we'll see what we can do down the line.

[jamcat]

You have to link your KSM app to your KVR user account.
KVR Marketplace Orders are associated with your user account, and contain billing & contact details.

[BackInCheck]

Machine ID is a pretty sensitive piece of data, an explicit identifier and one that can contain additional identifying or personal information. What if my Machine ID contains my personal name or the name of my child or loved one, or a date or place of birth etc.?

Do you think I want to share this info publicly or store it on some ominous servers in another part of the world?

I don't consider the Machine ID as a "basic system info". It's totally different from retrieving and storing info about the amount of RAM or the OS someone uses, it's a personal identifier, that can be as unique as an IP or MAC Address.

Speaking of IP and MAC Addresses: do you coincidentally store this info as well?

For the sake of transparency, please provide a complete list of all the data that you collect and/or store and/or share.

Please ensure that you fully understand the EU GDPR, since a significant percentage of your traffic is from this jurisdiction and non-compliance carries the risk of significant penalties.

[Ben [KVR]]

We do not share ANY personal information about any KSM user with anyone. No third party will ever know what plugins you have synced via KSM or what version number of any plugin you have installed or what your computer's name or ID is or what OS you are using or ... anything. We do not share ANY personal information about any KSM user with anyone.

Developers that manage their brand(s) at KVR can see summary data of their plugins. e.g. what plugins of theirs have been synced to KVR and matched (or not) to the relevant KVR PDB entry. They can manage these matches and manually match or fix any incorrect matches. They CANNOT see any personal data. They do NOT see who synced a product or any of the information about the device that synced it.

Device ID and Name

When you login we send "os", "deviceId", "deviceName", and "appVersion" to the server.

"os" identifies Windows or macOS, which is relevant for plugin matching and versioning.

"deviceId" is a unique identifier for the current computer (device). This is used with the authentication token for the device and to associate any plugins sent in a report to a generated MyKVR Group.

The "deviceId" is generated using this JUCE function: https://docs.juce.com/master/classSyste ... 22c52f32a4

It is not a product key, or any other type of identifiable id. It is not used for anything other than matching the device to the group. We don't share it. If we did it would mean nothing to anyone.

"deviceName" is a friendly name for the current computer (e.g. "Studio PC"). It is used to identify the MyKVR Group associated with deviceId. It uses the computer's name by default but you can edit the group name in the KSM web frame (or on the website) by clicking Manage and then editing the group name.

You can delete the group via the KVR MyKVR website - https://www.kvraudio.com/mykvr - go to the group, click Manage and then Delete Group - all data for it will be removed. A new group will be created for the device if you log in via KSM again.

"appVersion" is the current version of KSM, so we can tell you if a newer version is available.

Syncing

When "Sync with KVR" is clicked we send the OS again, plus a list of all the installed plug-ins and information about the device.

Here's an example of a product's info (this is used to match the plugin to a KVR PDB entry):

"uid": "3e280689",
"name": "Enhanced EQ",
"brand": "Native Instruments",
"type": "effect",
"category": "Fx|EQ",
"version": "1.4.5 (R666666666)",
"format": "VST3",
"filename": "Enhanced EQ.vst3",
"hidden": 0

Here's an example of information about the device (this is used for the Compare feature where a user can share their group with another user and compare their installed plugins and system info):

"deviceManufacturer": "",
"cpuModel": "Intel(R) Core(TM) i7-1065G7 CPU @ 1.30GHz",
"cpuSpeed": "1505",
"cpuCores": "4",
"osName": "Windows 10",
"deviceDescription": "Windows (Desktop)",
"osVersion": "10.0.19045.4046",
"cpuVendor": "GenuineIntel",
"displayLanguage": "en-GB",
"physicalMemory": "16094",
"is64bit": "true",
"displayScale": "1.5",
"displayDpi": "144",
"displayWidth": "1707",
"displayHeight": "1067"
 
I'll reiterate once again, we do not share ANY personal information about any KSM user with anyone.

If you have further concerns, feel free to post here and we'll try and address them!

[Teksonik]

Ok so let's discuss this like adults and hopefully avoid any further "if you don't like it delete your account" level responses. I will play the devils advocate since this app is not something I would ever need (and I own over 900 plugins, none of which are pirated). Maybe for newbies but even then would it not be better to teach them how to properly maintain their systems and software on same? To me it's a "teach a man to fish, give a man a fish" scenario but I realize others will use the app so that's cool.

I’m just stating that for my sake since you’re making assumptions based purely on an outdated title.

If you can't change your "outdated title" should we trust you to handle this app and the implications of its use?

(Bolding is mine) 8. Personal Data and Privacy Protection KVR may collect your contact information and other information that you choose to provide, including but not limited to salutation, name, company, address, e-mail address, phone number, website, forum name, and information about registered products. When you use the Software, KVR may collect data about your computer’s hardware and operating system, and your provided email address. KVR collects, stores and processes your personal data for providing a service to you. In this context KVR may transmit certain information to commissioned third parties.

Why do you need my address and phone number? At any rate, the plugins on my systems are personal data.

Look, plain and simple this is data mining. Period. Now this is an opt-in situation so only those who wish to use the app must make the cost/benefit analysis.

Obviously considerable work has gone in to this app and more will be needed for bug fixes etc so either whoever is doing the work is working for free or there is some monetization involved to cover the costs and perhaps generate additional income.

I don't have a problem with KVR generating income. I sincerely hope Ben et al are being rewarded for their hard work and efforts. But data mining our systems to do so is something I personally find repugnant. Again this is opt-in with the app so not something I'll have to worry about. As long as people who do use the app know fully and clearly what they are signing up for.

Is it not enough that we must deal with the bloat and system drain from a myriad of "software managers", license managers, copy protection schemes, etc from developers like IK and NI and UAD and Waves and....so on?

I find the trend of developers taking ownership of our systems just because we install a single simple plugin very troubling and an order of magnitude more repugnant.

Anyway I'll wish KVR good luck with this app but caution everyone who wishes to use it to go in with eyes wide open.

[Ben [KVR]]

If you can't change your "outdated title" should we trust you to handle this app and the implications of its use?

Nate's primary role is advertising sales, but we are all involved in every part of KVR. You are reading an awful lot into nothing.

Why do you need my address and phone number?

We don't, and we don't ask for it.

Now this is an opt-in situation so only those who wish to use the app must make the cost/benefit analysis.

Quite.

And while we are at it, earlier you quoted someone as saying "Trust us. We'll respect your data". Where exactly do we say that?

[drsyncenstein]

The tone could be a little more friendly

Sorry!

Ha, thanks. But that was not directed to you

[drsyncenstein]

We do not share ANY personal information about any KSM user with anyone. No third party will ever know what plugins you have synced via KSM or what version number of any plugin you have installed or what your computer's name or ID is or what OS you are using or ... anything. We do not share ANY personal information about any KSM user with anyone.
....
 
I'll reiterate once again, we do not share ANY personal information about any KSM user with anyone.

If you have further concerns, feel free to post here and we'll try and address them!

Thanks for all that info. It would be nice to add that to the eula, or even better to ask consent for collecting and storing the data.
The EU definition of personal data is broad however. What i buy, or have bought is personal data. It is not unlikely that the collected information for a specific machine, or a set of plugins with specific versions, is so unique that it could be possible to uniquely identify someone. In that way it can become personal data. And needs to be treated like that.
I'm happy that you won't share personal information. What that means is dependent on KVR's opinion on what is personal data however.

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

[Tj Shredder]

We do not share ANY personal information about any KSM user with anyone. No third party will ever know what plugins you have synced via KSM or what version number of any plugin you have installed or what your computer's name or ID is or what OS you are using or ... anything. We do not share ANY personal information about any KSM user with anyone.

This is what I want to read in a privacy explanation. The other official one, probably copied from a lawyer. Does not tell me these crucial things. All the „may“ sentences would tell me the opposite of what your post tells me.
I do trust you if you post this in a public forum. Its way more valuable than those standard lawyer texts we see an almost every privacy policy page.
Your text does give me much more of an idea who you deal with the info. I guess its legally not as binding, because you might change details within. But if you do and still share this transparently like you did with this post, I feel perfectly save. This would be even safer than maintaining the list by hand on the KVR site. There is the danger of cross site scripting and other nightmares…
The machine ID how I understood it now, is just a cookie. Nothing anybody could use to track you down even if it gets stolen…
Sharing details how you process data could be an example to open the web for more transparency.
Thanks for these details…

[SLiC]

I'm not really sure what all the fuss is about- if you don't want KVR to have your data, don't install the app! I'm not sure how necessary it is in 2024, most of my plugs have some sort of inbuilt 'update' alert.

[chk071]

Wow, I wasn't aware than an IP adress is considered "private data" these days. Why do people even connect to the internet, which is a public place, when they already think they can hide their IP adress, which is the necessary identifier to route data?

Think people are really going nuts over this these days.

That said, of course KVR doesn't just code a piece of software for fun for your pleasure. The benefits have been pointed out comprehensibly.

[kisielk]

The machine identifier is a hash of a variety of data from the computer BIOS. It’s a single 64-bit number that doesn’t reveal anything about the details of the machine and just serves as an id to match the computer to its profile in the database. It’s provided by the JUCE framework and so there’s a good chance many plugin developers are using it in their licensing schemes. Something like iLok will be doing their own equivalent.

[Burillo]

Wow, I wasn't aware than an IP adress is considered "private data" these days. Why do people even connect to the internet, which is a public place, when they already think they can hide their IP adress, which is the necessary identifier to route data?

Think people are really going nuts over this these days.

That said, of course KVR doesn't just code a piece of software for fun for your pleasure. The benefits have been pointed out comprehensibly.

IP address absolutely is private data, because it (has a potential to) reveals your location, and because it exposes you to potential hacking/malware attacks.

[chk071]

Wow, I wasn't aware than an IP adress is considered "private data" these days. Why do people even connect to the internet, which is a public place, when they already think they can hide their IP adress, which is the necessary identifier to route data?

Think people are really going nuts over this these days.

That said, of course KVR doesn't just code a piece of software for fun for your pleasure. The benefits have been pointed out comprehensibly.

IP address absolutely is private data, because it (has a potential to) reveals your location, and because it exposes you to potential hacking/malware attacks.

I don't think you get the point of the discussion. Of course, a web server knows your IP adress. It's how something is used or processed, neither the IP adress nor the machine ID is something which is private and unknown to an application or a web app. What counts is what's done with it, not whether or not something is done with it at all.

Ben already stated extensively above what is done with the data gathered. I don't get why some still insist that this is all totally private. It isn't.